Data Protection Act 2018: Judgment on processing for law enforcement purposes07/05/19
Following a judicial review challenge, the High Court has concluded that an Information Sharing Agreement (ISA) between Sussex Police and the area Business Crime Reduction Partnership (BCRP) complied with the requirements of the Data Protection Act 2018. This is the first case that has dealt in detail with a challenge to the lawfulness of sharing data under the ‘law enforcement’ provisions in the Data Protection Act 2018. It therefore is of interest to police forces, and also to partner agencies and organisations with whom crime-related information is shared.
The claim was brought following the disclosure to the BCRP of the name, date of birth and photograph of a 16-year-old (C), plus bail conditions to which she was subject, and an assessment of her vulnerability to child sexual exploitation. The BCRP has more than 500 members, including businesses and retailers, private security firms, pubs, bars and nightclubs. The BCRP’s main role is the management of an exclusion notice scheme, prohibiting persons from entering its members' premises. Information sharing under the agreement took place via a secure intranet, to allow members to identify individuals who may be subject to exclusion.
The Court held that the Sussex Police was a data controller of the data it shared, but left open the question of whether the BCRP members were joint controllers or independent controllers (although the court leaned towards the former). The court held nothing turned on the distinction.
The Court listed the various statutory requirements to have safeguards in place connected with the processing/sharing of personal data. However, the Court held that the assessment of whether the ISA breached the Data Protection Act 2018 needed to take account of all the various safeguards that were in place, in a holistic manner. The Court went on to assess whether the safeguards in place through the agreement were sufficient to meet the statutory requirements, and in particular by reference to an assessment of:
- the nature of the data that shared under the agreement;
- the provisions as to who it was shared with and control over any onward sharing;
- the requirements for the training and vetting of recipients of the data; and
- the degree to which the specific interests of children are factored into the proportionality exercise.
Taken together, the Court’s view was that the ISA, together with the various appendices and a ‘legitimate interests assessment’, did provide sufficient safeguards and effective measures, including technological measures, to meet the relevant requirements of the Data Protection Act 2018. In reaching that conclusion, the Court took into account the purposes of the ISA (public protection and the prevention of crime), and therefore the need for sharing with a fairly wide group, i.e. employees of BCRP members.
However, the Court concluded that the sharing of the assessment of C’s vulnerability to CSE, which pre-dated the Data Protection Act 2018, was unlawful.
What to take away
The case is useful in setting out an approach that Court may well take going forwards in challenges to data sharing exercises (whether by the police under the Data Protection Act 2018, or others under the GDPR).
The ISA under challenge was an extensive and iterative document, supported by various operating procedures and a technical network, and controls over how data was shared in practice. The fact that there were documented controls in place, and these formed part of a ‘holistic’ set of measures, played in the police’s favour. Forces and organisations may wish to compare their own similar arrangements to the Sussex model.
However, the Court was critical of some of the drafting in the ISA, and in particular that certain provisions were ‘opaque’, and that appendices were missing/misnamed. This illustrates the importance of keeping agreements (and the underlying arrangements) under review as ‘living’ documents, rather than simply as a ‘one time’ exercise in compliance. The judge was also critical of the police’s approach to disclosure and their late submission of evidence as amounting to a failure to comply with the ‘duty of candour’ in the judicial review proceedings itself – which in the judge’s eyes did not sit comfortably in a challenge about disclosure and information law. The Court concluded that there almost certainly was relevant material that had not been disclosed by the police. Public bodies under challenge in JR proceedings are required to "assist the court with full and accurate explanations of all the facts relevant to the issue the court must decide" and to disclose "materials which are reasonably required for the court to arrive at an accurate decision".
Finally, the conclusion that the sharing of the CSE information was unlawful illustrates that it is not simply a question of what the underlying arrangements are, but how they are applied in practice, that poses a legal risk to organisations.
A copy of the judgment is available here.